SANS ISC InfoSec Forums

Didier Stevens documented an interesting experiment, in which he purchased a Google ad that encouraged people to click on the ad to be infected. (Thanks for the pointer, Johannes!) Didier was curious to see how many people would actually click. More than you might think. It turns out, the "ad was displayed 259,723 times and clicked on 409 times. That’s a click-through-rate of 0.16%." Not bad at all, considering that the campaign cost around $23.

The ad said:

Drive-By Download
Is your PC virus-free?
Get it infected here!

Enticing potential victims via ads to visit a site that turns out to be malicious is a popular attack vector. Exploit Prevention Labs documented one such example a few weeks ago, where a Google ad that seemed to advertise the Better Business Bureau took the victim to a malicious site before forwarding him or her to the actual BBB website. The malicious site used "a modified MDAC exploit to try to install a backdoor" and a keylogger on the victim's system.

Another example comes from Google's research paper that describes a malicious ad found on a video sharing site in December 2006. The page included a banner ad from a "large American advertising company. The advertisement was delivered in form of a single line of JavaScript that generated JavaScript to be fetched from another large American advertising company. This JavaScript in turn generated more JavaScript pointing to a smaller American advertising company..." The ad "resulted in a single line of HTML containing an iframe pointing to a Russian advertising company. When trying to retrieve the iframe, the browser got redirected, via a Location header" that directed the browser to retrieve malicious JavaScript.

Perhaps there is no need for attackers to create advanced redirection chains or elaborate deception schemes. As Didier Stevens' experiment confirmed, people will click on anything.